Recently, the Belgian Privacy Commission addressed issues of personal privacy concerns with Facebook social plug-ins, such as the "Like" and "Share" buttons.
These plug-ins allow Facebook to track individuals who use these plug-ins outside of the Facebook platform by installing permanent cookies on users devices, whether the person is logged in to Facebook or not, or even a registered user of Facebook or not. These cookies are then used to collect browsing data, and for advertising purposes.
According to the Privacy Commission, this use of cookies by the Facebook social plug-ins constitutes the collection and processing of user's personal information, thus triggering the requirement that clear and specific consent must be given before any personal information can be collected or processed.
While registered Facebook users have given their clear and specific consent during the registration process, Facebook non-users have not given it.
Because of this, the Privacy Commission has made a few recommendations:
- Facebook should not place unique identifier and long-lasting cookies on devices that belong to users who are not registered Facebook users/ users who have not given clear and specific consent that this would be acceptable to them;
- Facebook should be more transparent about how they use cookies, including how cookies are used in their embedded plug-ins such as the "Like" and "Share" buttons on third-party websites;
Similarly, website owners are encouraged to create new relevant policies, such as a "Social Share Privacy" policy, where users can find out about cookies that may be installed when clicking "Like" or "Share" buttons.
While the above points reference Facebook, these points are very important for other websites and mobile apps as well. These recommendations should be applied to all embeddable plug-ins used by websites or mobile apps that place cookies on a device when used.
If your business is developing an embeddable web plug-in that is similar to the Facebook "Like" and "Share" buttons, you will want to pay attention to the recommendations above.
SoundCloud and YouTube are examples of websites that offer popular embeddable plug-ins.
The following image is a SoundCloud page where users can choose and customize options for the plug-in before embedding it. The code is automatically created and generated to allow for the easy sharing on all websites.
From video sharing to commenting on blog posts to re-posting news articles, this kind of plug-ins help websites and media outlets spread their content.
Follow these steps with your plug-in to ensure compliance with important global privacy laws.
Recommendations for web plugins
Always obtain consent
Before placing any cookies on a user's device or collecting any personal information that you plan to use in the future, make sure you obtain consent to do this. Consent can be obtained by getting your users to agree to your Privacy Policy.
Always provide a link to your Privacy Policy when obtaining consent, and make sure that the Privacy Policy contains relevant and important information that outlines the collection of personal data.
Below is an example of how to obtain consent to collect personal information through the use of cookies. The Thomas Cook website lets individuals who visit the site know that cookies are in use, asks for clear acceptance of this fact, and provides users with the opportunity to learn about its Cookie Policy by providing a link to the document.
In the image below, note how Facebook makes all users who sign up agree to Facebook's Terms, the Data Use Policy, and the Cookie Use Policy.
Facebook then, in one or more of these policies, describes practices of how personal information is collected and how cookies are placed. By providing this information to users who wish to sign up, and by making acceptance and agreement to these terms part of the sign up process, Facebook is ensuring that registered users will be considered to have given consent for what is found in those legal agreements.
Make sure to the following information in your Privacy Policy or Cookie Policy agreements:
- What data you collect
- Why you collect this data
- How you collect it
- What the data will be used for
Below is an excerpt from Facebook's Cookie Policy page that tells that "cookies, pixel tags ("pixels"), device or other identifiers and local storage (collectively, "Cookies and similar technologies") are used to deliver, secure, and understand products, services, and ads, on and off the Facebook Services."
No consent, no cookies
If you have not obtained clear and actual consent from a user to place cookies on their device, do not place them.
Facebook does include a section in its Privacy Policy for how it uses cookies on individuals' devices even if they do not have Facebook accounts. However, this section is buried in the agreement that people who don't use Facebook might never think to check.
There's also no consent or agreement given by people who don't use Facebook to have these cookies placed:
This leads to the second recommendation of the Privacy Commission that all businesses with embeddable web plugins should pay attention to.
Be transparent
If your plugin can be embedded on a third party site and used by individuals who are not registered with your actual website, and if cookies are placed on these users' devices after using the plugin, this fact should be made clearly known to people who will potentially be using your plugin.
Consider having a separate link on your website homepage that says something like "Social Sharing Plug-in Privacy Information" so that users can easily notice that there is a separate informative section that would be relevant for people who aren't registered with the entire website but who do use the social sharing plugin.
Not only should the business behind the embedded plugin make this information readily available to the public and potential users, but third party websites that embed the plugin should also take steps to let users know that personal data is being transferred and processed when the plug-in is used.
SoundCloud offers an embeddable plugin that allows users to share their music and audio with others on the internet by sharing the plugin on a website or blog. This plugin makes it easy and convenient to share information with your website visitors.
The SoundCloud embedded player has a prominently placed link to its Cookie Policy page, viewable on the bottom left of the image above.
Within that agreement, note how SoundCloud includes information about how activities such as Likes, Follows, and Plays are tracked within the app and sent to a third party, Localytics.
Similarly, Disqus, the popular social media sharing platform, allows for easily embedding their website plug-in on other websites and platforms to include a comment section:
The image below shows how Disqus is incorporated into The Next Web website at the bottom of articles.
The Privacy Policy of Disqus is placed at the bottom of the embeddable plugin. Note the Privacy icon.
When accessed, the Privacy Policy of Disqus mentions how the information collected from users may be sent to the app from third parties.
The applicable language states:
We may receive personally identifiable information about you from third parties, including, for example, information about your transactions, purchase history, or relationships with various product and service providers, and your use of certain applications.
For example, if you access our website or Service through a third-party connection or log-in, for example, through Facebook Connect, by "following," "liking," linking your account to the Disqus service, etc., that third party may pass certain information about your use of its service to Disqus
This means that a user's personal information can be shared with Disqus simply by that user clicking that they "like" Disqus on Facebook. Nobody would think to check the Privacy Policy of a company they click "like" for on Facebook to see if personal information is being collected.
This is why both Facebook, Disqus, and any other business or website that either creates or utilizes the third party embedded plug-ins should make this information much more easily accessible and well-known.
By following these guidelines for your embeddable web plug-in, you will stay compliant and help promote good privacy law practices.
Always make a link to your Privacy Policy and Cookies Policy available and easily noticeable to your users.
For example, Facebook could follow the approach that SoundCloud and Disqus have taken by providing these legal agreement links directly on the "Like" page embeddable plugin.
In the image above, the area within the yellow box would be a great area to place links to legal agreements because the area is prominent and would not be missed by anyone who would be about to click the "Like" button.
This placement would make sure that no matter what website the "Like" plugin is being used on, a user is aware that by clicking "Like" there may be personal data collected or cookies placed.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.